Analecta Cyber Company Blog: ALERT: New Ransomware steal passwords before encrypting files

2015-12-24

ALERT: New Ransomware steal passwords before encrypting files

Angler, considered to be the world's worst exploit kit, had just got an upgrade. And everyone is being warned not to visit poorly-secured websites as this could lead to alarming results. The upgrade to Angler allows hackers to develop and conduct their own drive-by attacks on visitors' computers with relatively no difficulty.


The hackers hit their victims through the following manner. First, the malware steals the user’s passwords and then locks them out remotely for ransom. All of their data will be encrypted which means that the user would not be able to access their own PCs.

According to a security blog post, the Angler exploit kit searches for a vulnerable application, such as Adobe Flash, in visitor's PC. The kit  then delivers malicious payloads, infecting the victim's PC with a widely used data thief exploit known as Pony. Pony then systematically harvests all login usernames and passwords stored on the infected system and sends them to servers controlled by hackers. And when the hackers obtain numerous working logins of the user, they could eventually steal more data which then be encrypted. The next step would be to drop the widely-used CryptoWall 4.0 Ransomware that locks user files until a ransom amount is paid.

Currently, the scheme is one of the most sophisticated and effective ransomware attacks which is a combination of the following: World's Worst Exploit Kit + World's Worst Password Stealer + World's Worst Ransomware. Researchers believe that this method of hacking originates from a secure hosting environment in Ukraine. They also added that more than 100 web pages in Denmark have been injected with the malicious script. But they believe that this would not be limited to Europe and can be used to target vulnerable PCs worldwide.

According to the FBI, loses due to this scheme totaled $18 million and the ransonware continuously attacks thousands of Internet users every week. Additionally, recent reports suggested that in the past year, the Cryptowall family alone were able to raise over $325 Million in revenue.

Two options for infected


Experts warned the public that once your system gets infected by Cryptowall 4.0, you are left with only two options; format your computer and restore your data from a backup, if you have any, or pay the ransom money for decryption key. The reason for these is that, the encryption used by the ransomware is so strong, and that it is almost unbreakable, therefore trying to unlock it would be not so feasible. Experts however, discourage anyone to pay ransom as it doesn't guarantee that you will get the decryption keys. This would also encourage criminal to further do the attacks more and more often.

And so, as a precautionary measure, it is advised to keep your systems and apps up-to-date, be proactive in creating awareness within your organizations and regularly maintain backups of your files on an external hard drive. Also, majority of the malware and viruses are introduced by clicking on links frequently attached in spam emails from unknown sources, therefore be vigilant enough not to be a victim of such scheme.